From cd4d4fed9803036201ace6287f2f8c16bd2f4a2f Mon Sep 17 00:00:00 2001 From: Damien Neil Date: Wed, 17 Apr 2024 08:10:40 -0700 Subject: [PATCH] data/reports: add GO-2024-2730.yaml Fixes golang/vulndb#2730 Change-Id: I9c60734d2ad51989ad9137260cbebfee22128872 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/579655 Reviewed-by: Tatiana Bradley LUCI-TryBot-Result: Go LUCI --- data/osv/GO-2024-2730.json | 58 ++++++++++++++++++++++++++++++++++ data/reports/GO-2024-2730.yaml | 37 ++++++++++++++++++++++ 2 files changed, 95 insertions(+) create mode 100644 data/osv/GO-2024-2730.json create mode 100644 data/reports/GO-2024-2730.yaml diff --git a/data/osv/GO-2024-2730.json b/data/osv/GO-2024-2730.json new file mode 100644 index 00000000..de82aa57 --- /dev/null +++ b/data/osv/GO-2024-2730.json @@ -0,0 +1,58 @@ +{ + "schema_version": "1.3.1", + "id": "GO-2024-2730", + "modified": "0001-01-01T00:00:00Z", + "published": "0001-01-01T00:00:00Z", + "related": [ + "CVE-2024-3400" + ], + "summary": "Directory traversal in FilesystemStore in github.com/gorilla/sessions", + "details": "FilesystemStore does not sanitize the Session.ID value, making it vulnerable to directory traversal attacks. If an attacker has control over the contents of the session ID, this can be exploited to write to arbitrary files in the filesystem.\n\nPrograms which do not set session IDs explicitly, or which only set session IDs that will not be interpreted by the filesystem, are not vulnerable.", + "affected": [ + { + "package": { + "name": "github.com/gorilla/sessions", + "ecosystem": "Go" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "ecosystem_specific": { + "imports": [ + { + "path": "github.com/gorilla/sessions", + "symbols": [ + "CookieStore.Get", + "FilesystemStore.Get", + "FilesystemStore.New", + "FilesystemStore.Save", + "FilesystemStore.erase", + "FilesystemStore.load", + "FilesystemStore.save", + "Registry.Get", + "Registry.Save", + "Save", + "Session.Save" + ] + } + ] + } + } + ], + "references": [ + { + "type": "FIX", + "url": "https://github.com/gorilla/sessions/pull/274" + } + ], + "database_specific": { + "url": "https://pkg.go.dev/vuln/GO-2024-2730" + } +} \ No newline at end of file diff --git a/data/reports/GO-2024-2730.yaml b/data/reports/GO-2024-2730.yaml new file mode 100644 index 00000000..ef88ca9f --- /dev/null +++ b/data/reports/GO-2024-2730.yaml @@ -0,0 +1,37 @@ +id: GO-2024-2730 +modules: + - module: github.com/gorilla/sessions + vulnerable_at: 1.2.2 + packages: + - package: github.com/gorilla/sessions + symbols: + - FilesystemStore.save + - FilesystemStore.load + - FilesystemStore.erase + derived_symbols: + - CookieStore.Get + - FilesystemStore.Get + - FilesystemStore.New + - FilesystemStore.Save + - Registry.Get + - Registry.Save + - Save + - Session.Save +summary: Directory traversal in FilesystemStore in github.com/gorilla/sessions +description: |- + FilesystemStore does not sanitize the Session.ID value, + making it vulnerable to directory traversal attacks. + If an attacker has control over the contents of the session ID, + this can be exploited to write to arbitrary files in the + filesystem. + + Programs which do not set session IDs explicitly, + or which only set session IDs that will not be + interpreted by the filesystem, are not vulnerable. +related: + - CVE-2024-3400 +references: + - fix: https://github.com/gorilla/sessions/pull/274 +source: + id: go-security-team + created: 2024-04-17T07:45:30.470362-07:00